From nobody Tue Nov 15 01:42:45 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NB87n3nF1z4hRWp;
	Tue, 15 Nov 2022 01:42:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NB87n3JXYz45xW;
	Tue, 15 Nov 2022 01:42:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1668476565;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=8iorTYYtBZ4sRMQOxUjljChdz3yfn3ashR/PogQqu/I=;
	b=w5Iep2BluNP6PcjCVoSCp7BwMhXYu6pvT21TQTF6EMprj06wYlnvaLuyd2Z3r7BX8PFJEA
	c6nmynUWEDpUYRiLbcSKQggKXx2OrSKJmstVk0JNWToAtaXt8l9w4nppq4IW7COFWct9Vx
	khYrL+87ogjZcvbivZ4Gs8b1F0fkfstLt46ygflz0pkXZcybzUIB543vTTuu+3KLmrenUb
	xbnw8COonxF2rQX2IJJMkOUFkYYd1n9QkXzjOJ+0jlOXx0ljzKx2SFo7/bo0OE82L+se79
	Pwejq3BQjPIjlCZNN/OSND1imVQNtnTLXH/h2sID7UB5cH4RwsXMAJlNKLGdVQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1668476565;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=8iorTYYtBZ4sRMQOxUjljChdz3yfn3ashR/PogQqu/I=;
	b=lJMoCyNjozi2Aq4EIa/LZxFVK3OGvgDDe92RtMEbeygrWKw5+swT3v05hm9B83Ms36z4+D
	J1ICwnwYhtXSqbGs3bEowmmFsfDqLhH9MvTgvzmYpXdyS6BMUT7sG0RJPBY4HrUSUlE+k/
	VNvDYHLObu2Zt9AwhEGfg5GhHJdkBYQ9JqlGBfvuqIpKebXFZB6obT0ztKBiUr6frGHcNT
	WUQAJjVBTdRE0tyFkxEZo47ppFF+BsGYZBjnsYST0oC21GjfX2oab6EHAtx+8B8dr4Hxip
	xkv5u9go6SUVktRbyfsQD1fjdmDv0OA1iYQNQiW9tuLhcz8Ce8RVTP7Bd75lqg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1668476565; a=rsa-sha256; cv=none;
	b=QXhzq2Y6pwUpL31B2XqeU6IzwxDefQPG8BMkxxz/WCSNaynw7xoIGUONh8mOK871I4h39T
	EF+jTC7+wBSU0JXCRyKjPpwSqMtQT948n7lLPm3o/CM7oAwTWUXR332BKK5EiM95BAjRYF
	nFvx/wbEKcvTFDpuAHVw1vDvoodNSygQnDvYmJXo+y77LJv8kvbKU2iFe3yfUI4c8aP68Y
	zFgSvvq9UG0BY+2yCrfVnsmI9gE9XBBqaMwwSXbMrMiCZC47BBCfwnjVejzdsIrP2uZBA0
	Q5serje3rAgE050GXN9ov6vAIKS3m0ugkIkjLO2h3kNiYps9E2FM5Gfn8e7LhQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NB87n2Mqfz13vm;
	Tue, 15 Nov 2022 01:42:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2AF1gj0r062410;
	Tue, 15 Nov 2022 01:42:45 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2AF1gjhs062409;
	Tue, 15 Nov 2022 01:42:45 GMT
	(envelope-from git)
Date: Tue, 15 Nov 2022 01:42:45 GMT
Message-Id: <202211150142.2AF1gjhs062409@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: git: 8fbc0cc23a60 - stable/13 - <crypto/chacha20_poly1305>: Fix operations with 8 byte nonce.
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhb
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 8fbc0cc23a607bb1a5ef13e18d9e19b5ee54a90d
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=8fbc0cc23a607bb1a5ef13e18d9e19b5ee54a90d

commit 8fbc0cc23a607bb1a5ef13e18d9e19b5ee54a90d
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-11-15 01:24:56 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-11-15 01:39:54 +0000

    <crypto/chacha20_poly1305>: Fix operations with 8 byte nonce.
    
    In head, the inline ChaCha20+Poly1305 API is implemented using the
    software implementation backing OCF, but that requires API changes
    that can't be MFC'd.  As a result, this API in stable/13 uses
    libsodium directly.
    
    However, libsodium's version of ChaCha20+Poly1305 with an 8 byte nonce
    uses a different construction for the Poly1305 hash than is used for
    the standard IETF AEAD cipher used for TLS and IPsec.  WireGuard's use
    of an 8 byte nonce also uses the more standard construction.
    
    Since the verison in stable/13 was using libsodium directly for the 8
    byte nonce case, it was generating incorrect MACs for if_wg(4).  As a
    workaround, change the direct API to always use the IETF API from
    libsodium which uses 12 byte nonces.  This can be done by
    zero-extending the provided 8 byte nonce to 12 bytes so long as the
    passed in buffers are sufficiently small to not overflow a 4 byte
    counter.
    
    This fixes key negotiation for if_wg(4) on stable/13.  This is also
    a direct commit to stable/13.
    
    Reported by:    Marek Zarychta <mzar@bpine64.dom.potoki.eu>
---
 sys/crypto/chacha20_poly1305.c | 46 +++++++++++++++++++++++++++++++++---------
 1 file changed, 36 insertions(+), 10 deletions(-)

diff --git a/sys/crypto/chacha20_poly1305.c b/sys/crypto/chacha20_poly1305.c
index 9aaa570ccca4..516fc333f949 100644
--- a/sys/crypto/chacha20_poly1305.c
+++ b/sys/crypto/chacha20_poly1305.c
@@ -34,17 +34,38 @@
 #include <sodium/crypto_aead_chacha20poly1305.h>
 #include <sodium/crypto_aead_xchacha20poly1305.h>
 
+/*
+ * libsodium's chacha20poly1305 AEAD cipher does not construct the
+ * Poly1305 digest in the same method as the IETF AEAD construct.
+ * Specifically, libsodium does not pad the AAD and cipher text with
+ * zeroes to a 16 byte boundary, and libsodium inserts the AAD and
+ * cipher text lengths as inputs into the digest after each data
+ * segment rather than appending both data lengths after the padded
+ * cipher text.
+ *
+ * Instead, always use libsodium's chacha20poly1305 IETF AEAD cipher.
+ * This cipher uses a 96-bit nonce with a 32-bit counter.  The data
+ * encrypted here should never be large enough to overflow the counter
+ * to the second word, so just pass zeros as the first word of the
+ * nonce to mimic a 64-bit nonce and 64-bit counter.
+ */
 void
 chacha20_poly1305_encrypt(uint8_t *dst, const uint8_t *src,
     const size_t src_len, const uint8_t *aad, const size_t aad_len,
     const uint8_t *nonce, const size_t nonce_len, const uint8_t *key)
 {
+	char local_nonce[12];
+
+	MPASS(aad_len + src_len <=
+	    crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX);
 	if (nonce_len == crypto_aead_chacha20poly1305_ietf_NPUBBYTES)
-		crypto_aead_chacha20poly1305_ietf_encrypt(dst, NULL, src,
-		    src_len, aad, aad_len, NULL, nonce, key);
-	else
-		crypto_aead_chacha20poly1305_encrypt(dst, NULL, src,
-		    src_len, aad, aad_len, NULL, nonce, key);
+		memcpy(local_nonce, nonce, sizeof(local_nonce));
+	else {
+		memset(local_nonce, 0, 4);
+		memcpy(local_nonce + 4, nonce, 8);
+	}
+	crypto_aead_chacha20poly1305_ietf_encrypt(dst, NULL, src, src_len,
+	    aad, aad_len, NULL, local_nonce, key);
 }
 
 bool
@@ -52,14 +73,19 @@ chacha20_poly1305_decrypt(uint8_t *dst, const uint8_t *src,
     const size_t src_len, const uint8_t *aad, const size_t aad_len,
     const uint8_t *nonce, const size_t nonce_len, const uint8_t *key)
 {
+	char local_nonce[12];
 	int ret;
 
+	MPASS(aad_len + src_len <=
+	    crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX);
 	if (nonce_len == crypto_aead_chacha20poly1305_ietf_NPUBBYTES)
-		ret = crypto_aead_chacha20poly1305_ietf_decrypt(dst, NULL,
-		    NULL, src, src_len, aad, aad_len, nonce, key);
-	else
-		ret = crypto_aead_chacha20poly1305_decrypt(dst, NULL,
-		    NULL, src, src_len, aad, aad_len, nonce, key);
+		memcpy(local_nonce, nonce, sizeof(local_nonce));
+	else {
+		memset(local_nonce, 0, 4);
+		memcpy(local_nonce + 4, nonce, 8);
+	}
+	ret = crypto_aead_chacha20poly1305_ietf_decrypt(dst, NULL, NULL,
+	    src, src_len, aad, aad_len, local_nonce, key);
 	return (ret == 0);
 }